SSL snippet and drop TLS 1.0 and 1.1

roles/nginx-reverseproxy/tasks/main.yml

@@ -9,15 +9,19 @@
   retries: 3
   until: apt_result is succeeded
 
-- name: Copy certbot SSL snippet
+- name: Copy snippets
-  copy:
+  template:
-    remote_src: true
+    src: nginx/snippets/options-ssl.conf.j2
-    src: /usr/lib/python3/dist-packages/certbot_nginx/options-ssl-nginx.conf
+    dest: /etc/nginx/snippets/options-ssl.conf
-    dest: /etc/letsencrypt/options-ssl-nginx.conf
+
+- name: Copy dhparam
+  template:
+    src: letsencrypt/dhparam.j2
+    dest: /etc/letsencrypt/dhparam
 
 - name: Copy reverse proxy sites
   template:
-    src: "nginx/{{ item }}.j2"
+    src: "nginx/sites-available/{{ item }}.j2"
     dest: "/etc/nginx/sites-available/{{ item }}"
   loop:
     - reverseproxy

roles/nginx-reverseproxy/templates/letsencrypt/dhparam.j2

@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
+-----END DH PARAMETERS-----

roles/nginx-reverseproxy/templates/nginx/sites-available/redirect.j2

@@ -15,22 +15,13 @@ server {
 
 # Redirect https://{{ site.from }} to https://{{ site.to }}
 server {
-    listen 443;
+    listen 443 ssl http2;
-    listen [::]:443;
+    listen [::]:443 ssl http2;
 
     server_name {{ site.from }};
 
-    ssl on;
+    # SSL common conf
-    ssl_certificate {{ nginx.ssl.cert }};
+    include "/etc/nginx/snippets/options-ssl.conf";
-    ssl_certificate_key {{ nginx.ssl.cert_key }};
-
-    # SSL ciphers updated by Debian
-    include "/etc/letsencrypt/options-ssl-nginx.conf";
-
-    # Enable OCSP Stapling, point to certificate chain
-    ssl_stapling on;
-    ssl_stapling_verify on;
-    ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};
 
     location / {
         return 302 https://{{ site.to }}$request_uri;
@@ -58,22 +49,13 @@ server {
 
 # Redirect https://{{ from }} to https://{{ site.to }}
 server {
-    listen 443;
+    listen 443 ssl http2;
-    listen [::]:443;
+    listen [::]:443 ssl http2;
 
     server_name {{ from }};
 
-    ssl on;
+    # SSL common conf
-    ssl_certificate {{ nginx.ssl.cert }};
+    include "/etc/nginx/snippets/options-ssl.conf";
-    ssl_certificate_key {{ nginx.ssl.cert_key }};
-
-    # SSL ciphers updated by Debian
-    include "/etc/letsencrypt/options-ssl-nginx.conf";
-
-    # Enable OCSP Stapling, point to certificate chain
-    ssl_stapling on;
-    ssl_stapling_verify on;
-    ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};
 
     location / {
         return 302 https://{{ site.to }}$request_uri;

roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2

@@ -15,22 +15,13 @@ server {
 
 # Reverse proxify https://{{ site.from }} to http://{{ site.to }}
 server {
-    listen 443;
+    listen 443 ssl http2;
-    listen [::]:443;
+    listen [::]:443 ssl http2;
 
     server_name {{ site.from }};
 
-    ssl on;
+    # SSL common conf
-    ssl_certificate {{ nginx.ssl.cert }};
+    include "/etc/nginx/snippets/options-ssl.conf";
-    ssl_certificate_key {{ nginx.ssl.cert_key }};
-
-    # SSL ciphers updated by Debian
-    include "/etc/letsencrypt/options-ssl-nginx.conf";
-
-    # Enable OCSP Stapling, point to certificate chain
-    ssl_stapling on;
-    ssl_stapling_verify on;
-    ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};
 
     # Log into separate log files
     access_log      /var/log/nginx/{{ site.from }}.log;

roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy_redirect_dname.j2

@@ -19,22 +19,13 @@ server {
 
 # Redirect https://{{ from }} to https://{{ to }}
 server {
-    listen 443;
+    listen 443 ssl http2;
-    listen [::]:443;
+    listen [::]:443 ssl http2;
 
     server_name {{ from }};
 
-    ssl on;
+    # SSL common conf
-    ssl_certificate {{ nginx.ssl.cert }};
+    include "/etc/nginx/snippets/options-ssl.conf";
-    ssl_certificate_key {{ nginx.ssl.cert_key }};
-
-    # SSL ciphers updated by Debian
-    include "/etc/letsencrypt/options-ssl-nginx.conf";
-
-    # Enable OCSP Stapling, point to certificate chain
-    ssl_stapling on;
-    ssl_stapling_verify on;
-    ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};
 
     location / {
         return 302 https://{{ to }}$request_uri;

roles/nginx-reverseproxy/templates/nginx/snippets/options-ssl.conf.j2

@@ -0,0 +1,17 @@
+{{ ansible_header | comment }}
+
+ssl_certificate {{ nginx.ssl.cert }};
+ssl_certificate_key {{ nginx.ssl.cert_key }};
+ssl_session_timeout 1d;
+ssl_session_cache shared:MozSSL:10m;  
+ssl_session_tickets off;
+ssl_dhparam /etc/letsencrypt/dhparam;
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ssl_prefer_server_ciphers off;
+
+# Enable OCSP Stapling, point to certificate chain
+ssl_stapling on;
+ssl_stapling_verify on;
+ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};
+